Multiple Entry Point for Site to Site VPN

In This Section: Configuring Explicit MEP Configuring Implicit First to Respond Routing Return Packets Configuring IP Pool NAT

Configuring Explicit MEP

Explicit MEP is only available in Site-to-Site Star VPN communities where multiple central Security Gateways are defined.

To configure MEP:

1. Open the Star Community object and go to the MEP page.
2. Select Enable center gateways as MEP.
3. Select an entry point mechanism:
   • First to respond
   • By VPN domain
   • Random selection
   • Manual priority list

   If you select By VPN domain or Manually set priority list, in the Advanced, section choose First to respond or Random selection to resolve how more than one Security Gateway with equal priority should be selected.

   If you select Manually set priority list, click Set to create a series of MEP rules.

4. Select a Tracking option, if required.

Configuring Implicit First to Respond

When more than one Security Gateway leads to the same (overlapping) VPN domain, they are in a MEP configuration. The first Security Gateway to respond is chosen. To configure first to respond, define that part of the network that is shared by all the Security Gateways into a single group and assign that group as the VPN domain.

Before you start, make sure that Load Distribution is not enabled:

1. In R80 SmartConsole, go to Menu > Global Properties > VPN > Advanced.
2. Clear the Enable load distribution for Multiple Entry Points option.

To configure First to Respond MEP:

1. For each Security Gateway in the VPN domain, run vpn overlap_encdom.
2. In R80 SmartConsole, create a host group and assign all these Security Gateways to it.
3. In each Security Gateway object go to the Network Management > VPN Domain page,
4. Select Manually defined.
5. Select the host group of MEP gateways that you defined in step 2.
6. Click OK.
7. Install the Access Control Policy on all Security Gateways.

Configuring Implicit Primary-Backup

Configure the VPN Domain that includes the Primary gateway and another domain that includes only the backup gateway. Configure each gateway as either the Primary gateway or a backup gateway.

To configure the primary gateway:

1. Open Global Properties window > VPN > Advanced, select Enable Backup Gateway.
2. In the Object Explorer, click New > Network Group and create a group of gateways to act as backup gateways.
3. Edit the Primary gateway object and open the IPsec VPN page.
4. Select Use Backup Gateways, and select the group of backup gateways.

   This gateway is the primary gateway for this VPN domain.

5. For each backup gateway, make a VPN domain that does not include IP addresses that are in the Primary VPN domain or the other backup domains.

   If the backup gateway already has a VPN domain, you must make sure that its IP addresses do not overlap with the other VPN domains.

   1. Create a group of IP addresses not in the other domains, or a group that consists of only the backup gateway.
   2. In the backup network object, go to the Network Management > VPN Domain section, select Manually defined.
   3. Select the group.
6. Click OK.
7. Install the policy.

Configuring Implicit Load Distribution

To configure implicit MEP for random gateway selection:

1. Click Menu > Global Properties.
2. Open the VPN > Advanced page.
3. Select Enable load distribution for Multiple Entry Point configurations (Site to Site connections).
4. Define the same VPN domain for all the gateways:
   1. Create a group of the gateways.
   2. In each gateway network object, go to the Network Management > VPN Domain page, and select Manually defined.
   3. Select the group.
5. Click OK.
6. Install the Access Control Policy.

Routing Return Packets

To make sure return packets are routed correctly, the MEP Security Gateway can make use of either:

• IP pool NAT (static NAT) or

• Route Injection Mechanism. For more information on RIM, see Configuring RIM in a Star Community

Configuring IP Pool NAT

To configure IP pool NAT for site to site VPN:

1. In Menu > Global Properties, open the NAT page, and click Enable IP Pool NAT.
2. Set tracking options for address exhaustion and for address allocation and release.
3. For each Security Gateway, create a network object that represents the IP pool NAT addresses for that Security Gateway. The IP pool can be a network, group, or address range. For example:
   • Open the Object Explorer (Ctrl+E) and click New > Network Object > Address Range > Address Range. The New Address Range window opens.
   • On the General tab, enter the first IP and last IP of the address range.
   • Click OK.
4. On the Security Gateway object where IP pool NAT translation is performed, in the NAT > IP Pool NAT page, select either
   • Allocate IP Addresses from, and select the address range you created, OR
   • Define IP Pool addresses on Security Gateway interfaces. If you choose this option, you need to define the IP Pool on each required interface, in the Interface Properties window, IP Pool NAT tab.
5. In the IP Pool NAT page, select either (or all):
   • Use IP Pool NAT for VPN clients connections
   • Use IP Pool NAT for Security Gateway to Security Gateway connections
   • Prefer IP Pool NAT over Hide NAT
6. Click Advanced...
   • Decide after how many minutes unused addressees are returned to the IP pool.
   • Click OK twice.
7. Edit the routing table for each internal router, so that packets with an IP address assigned from the NAT pool are routed to the appropriate Security Gateway.